SRX,JunOS,Linux and security

Packet mode and host-inbound traffic

Did you know that if you enable packet-mode in traffic interface of an SRX box,
host inbound traffic isn’t allowed anymore? Device can still process transit traffic
but inbound traffic won’t work. For example, apply a filter like below to an interface
and try to SSH to IP 98.1.1.1, you shouldn’t be allowed.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

#show interfaces

ge-0/0/2{

unit0{

familyinet{

filter{

input inet-packet-mode;

output inet-packet-mode;

}

address98.1.1.1/24;

}

}

}

# top show firewall

familyinet{

filterinet-packet-mode{

term10{

then{

packet-mode;

accept;

}

}

}

}

If you are wondering why: Documentation says that host-inbound traffic is only allowed
if it is sent to flow daemon for inspection.

PS: You can selectively exclude local IP from packet mode but here I just want to show the behavior change.